The Office of the Data Protection Commissioner (ODPC) has issued two penalty notices of Sh5 million each against Whitepath and Regus Kenya Ltd for violating data protection regulations.

A statement from the office headed by Data Commissioner Immaculate Kassait said the two failed to comply and cooperate with the office following complaints lodged against them by users of their services over breach of personal data.

The ODPC received close to 150 complaints against Whitepath, alleging that their applications accessed mobile phone contacts and sent unwarranted and unsolicited text messages to these contacts, the government agency said in a statement.

Whitepath is accused of violating the provisions of the Data Protection Act 2019. The Act requires companies to obtain explicit consent from individuals before collecting and using their personal data.

The company loans money through an online lending platform which provides loans to borrowers in Kenya.

Investigations launched into the allegations against Whitepath found that the company had failed to comply with the provisions of the Act.

ODPC said Whitepath’s applications accessed users’ mobile phone contacts without their consent and sent unsolicited text messages to these contacts.  “This constitutes a breach of the provisions of the Data Protection Act, which requires companies to obtain explicit consent from individuals before collecting and using their personal data,” it said.

Personal information

Speaking on the notices, Kassait said data protection is the responsibility of every data controller and processor and it must be the company’s top priority whenever they collect, process, or store personal information. “I challenge businesses to protect personal data by design and by default and cooperate with the ODPC to avoid penalties,” she added.

The penalty for the digital lender comes amid attempts by Central Bank of Kenya (CBK) to stop unlicensed digital credit providers (DCPs) that have run amok by incessantly calling guarantors and debt dodgers when tracking down unpaid loans, contrary to a legal requirement that calls for civility. The Business Hub is in receipt of two communications from DCPs using threats and profane language in a bid to settle overdue loans, contrary to the ODPC and the Central Bank of Kenya (CBK) regulations.

The law gives regulators powers to expressly bar digital lenders from using threats, violence, and “obscene or profane language against customers or their references or contacts for purposes of shaming them” in the course of debt collection.

In one of the communications, a DCP engaged a guarantor on the need to be cautious of their details, which were being used to obtain loans without approval, contrary to the data protection laws.

“Kindly, take charge and control of your important details from being used by delinquent debt dodgers like….of ID….age 35 years, who used them when borrowing loan from us amounting Sh12,600 and now is ignoring us” wrote one of the lenders.

“This serious defaulter could be going round online borrowing with many other apps and using your details as guarantor/ referee. You are the first referee to the said person, Forward the message immediately and tell the client to clear the loan now. Avoid being denied financial assistance from lending institutions because of this rogue client. Apologies for the very many messages you will receive until the client clear the loan” said the lender. Regus Kenya, on the other hand, has been accused of failing to comply with data protection regulations by failing to secure the sensitive personal data of its clients. The company provides flexible workspace solutions to businesses and individuals in Kenya.

ODPC launched an investigation into the company’s data protection practices and found that the company had failed to adequately secure the sensitive personal data of its clients.

Explicit consent

It issued the penalty notices against Whitepath and Regus Kenya as a warning to other companies that are collecting and using personal data without obtaining explicit consent from individuals. The ODPC has stated that it will not hesitate to take action against companies that fail to comply with the provisions of the Data Protection Act.

The ODPC has also advised individuals to be cautious when downloading applications and to read the terms and conditions carefully before consenting to the use of their personal data. Individuals should also report any cases of data protection violations to the ODPC to ensure that their rights are protected.